Mark Jayson Alvarez [EMAIL PROTECTED] writes:
Suggestions are welcome... very much welcome. I just need to collate
everything.
Start with security(7).
In future, keep up with Security Advisories.
___
freebsd-questions@freebsd.org mailing
Mark Jayson Alvarez wrote:
Now we have a couple of inputs, we just have to figure out which is the proper
combination. Here they are:
1. Use private key for ssh logins (should bring the private key always... and
if it is stolen.)
Private keys can (and should) be passphrase protected.
Good day again!!
This has something to do with my previous email about finding an IRC bouncer
installed into one of our freebsd servers(4.9). Someone suggested here to run a
rootkit finder... I installed an rkhunter and eventually found an ascii text
file inside the /dev/ named saux and to
On Wed, Nov 16, 2005 at 09:51:08PM -0500, Steve Bertrand wrote:
Most *((cr/h)ackers* (and I use that term VERY loosely (aka:
script kiddies)) are interested in rooting a box, and setting up a
storage/sharing area that is free to them. This may not be
the case,
but it's better to
[...]
You can easily rebuild a new kernel with:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT_1000
Then create a script blocking ALL ports exept those what you need.
Especially only allowing SSH access to the box from limited
IP's. If
you
--On Wednesday, November 16, 2005 20:29:55 -0500 Steve Bertrand
[EMAIL PROTECTED] wrote:
I think we have a serious problem. One of our old server
running FreeBSD 4.9 have been compromised and is now
connected to an ircd server..
195.204.1.132.6667 ESTABLISHED
Ran into this recently.
I think we have a serious problem. One of our old server
running FreeBSD 4.9 have been compromised and is now
connected to an ircd server..
195.204.1.132.6667 ESTABLISHED
Ran into this recently. Please post the entire output from:
# top
# w
# last
# ps -aux
# uname -a
...after that,
Mark Jayson Alvarez wrote:
Good Day!
I think we have a serious problem. One of our old
server running FreeBSD 4.9 have been compromised and
is now connected to an ircd server..
195.204.1.132.6667 ESTABLISHED
I believe I'm having the same issue as you, except on FreeBSD
5.4-RELEASE. I
# ls -la /tmp
also /var/tmp
Indeed, many people would install with a /var partition, which would put
/tmp under /var via symlink, but a good point.
if you run awstats or phpBB - upgrade...
Agreed, but even phpBB may not be the fault. Many problems with PHP come
with the binary, not
also /var/tmp
Indeed, many people would install with a /var partition,
which would put /tmp under /var via symlink, but a good point.
My mistake...symlink was the wrong word to use here, for those who
create a /var partition without physically making a /tmp partition.
- top lists nothing significant. 97% idle CPU
Irrelavent, the process is probably idle right now.
- w only shows myself and one other legit user logged in
who is editing config files with vi
Perhaps they aren't currently logged in.
- last shows nothing but myself and that one other user
First, I want to thank you all for replying. For now what I just did is to
just pulled the utp cable from its ethernet port. Now, no one can access it.
However I tried once to put it back and then the ircd connection went up
silently. It is confirmed that we are running psybnc like what
Now what I want to do is to just reinstall the whole
operating system and secure it as possible as I can. Like
someone told, its just a waste to try to track it down
because the intruder might be located somewhere on the other
side of the world.
They are always on the other side of the
On 11/16/05, Mark Kane [EMAIL PROTECTED] wrote:
I also see a psyBNC server listening on port 7978:
server# sockstat -l4 | grep psybnc
USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
wicked6 psybnc 15819 3 tcp4 *:7978*:*
Funny thing is there
Steve Bertrand [EMAIL PROTECTED] wrote:
Now what I want to do is to just reinstall the whole
operating system and secure it as possible as I can. Like
someone told, its just a waste to try to track it down
because the intruder might be located somewhere on the other
side of the world.
On Wed, Nov 16, 2005 at 09:51:08PM -0500, Steve Bertrand wrote:
Most *((cr/h)ackers* (and I use that term VERY loosely (aka:
script kiddies)) are interested in rooting a box, and setting up a
storage/sharing area that is free to them. This may not be the
case, but it's better to 'observe' your
On Wed, Nov 16, 2005 at 05:16:37PM -0800, Mark Jayson Alvarez wrote:
Good Day!
At first I thought I was confused, but then I realized that you had
cross-posted your message to freebsd-security@ and
[EMAIL PROTECTED] Please don't do this, as it fragments the
discussion.
Good luck.
--
Steve Bertrand wrote:
- top lists nothing significant. 97% idle CPU
Irrelavent, the process is probably idle right now.
I understand, but I was trying to give you the results of the commands
that you asked Mark Alvarez to run.
- w only shows myself and one other legit user logged in
who is
On Nov 16, 2005, at 9:38 PM, Will Maier wrote:
OP has some asset that is being threatened or diminished by this
attack, be it his bandwith, CPU cycles, host/network integrity or
self confidence. He needs to identify that asset and work quickly to
protect it. In most cases, this will mean
Marco Wertejuk [EMAIL PROTECTED] wrote:
try sockstat | grep 6667 to see which process is
connecting to irc and try to see what this process
is doing with lsof, but depending on what backdoor
or rootkit is used, it's possible to see nothing
because intelligent rootkits hide themself
Ok done
David Kirchner wrote:
On 11/16/05, Mark Kane [EMAIL PROTECTED] wrote:
I also see a psyBNC server listening on port 7978:
server# sockstat -l4 | grep psybnc
USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
wicked6 psybnc 15819 3 tcp4 *:7978*:*
21 matches
Mail list logo